lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Feb 2022 11:58:14 -0800 From: Kees Cook <keescook@...omium.org> To: Robert Święcki <robert@...ecki.net> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Andy Lutomirski <luto@...capital.net>, Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 0/3] signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE On February 11, 2022 4:54:26 AM PST, "Robert Święcki" <robert@...ecki.net> wrote: >> It's mainly about the exit stuff having never been run before on these >> kinds of process states, so things don't make sense. For example, on the >> SIGSYS death, the registers have been rewound for the coredump, so when >> the exit trace runs on x86 it sees the syscall return value as equal to >> the syscall number (since %rax is used for the syscall number on entry >> and for the syscall result on exit). So when a tracer watches a seccomp >> fatal SIGSYS, it sees the syscall exit before it sees the child exit >> (and therefore the signal). For example, x86_64 write (syscall number >> 1), will return as if it had written 1 byte. :P >> >> So, it's not harmful, but it's confusing and weird. :) >> >> > I am trying to figure out if there is a case to be made that it was a >> > bug that these events were missing. >> >> I don't think so -- the syscall did not finish, so there isn't a valid >> return code. The process exited before it completed. > >A tangential point: please ignore for the purpose of fixing the >problem at hand. I'm mostly making it, in case it can be taken into >account in case some bigger changes to this code path are to be made - >given that it touches the problem of signal delivery. > >When I noticed this problem, I was looking for a way to figure out >what syscall caused SIGSYS (via SECCOMP_RET_KILL_*), and there's no >easy way to do that programmatically from the perspective of a parent >process. There are three ways of doing this that come to mind. I had hoped that the parent could read the SIGSYS siginfo_t from the child, but I haven't found any way to do this. :( :( I don't seem to be able to use: - PTRACE_ATTACH to use PTRACE_PEEKSIGINFO on a dead process. - signalfd (nothing is in the fd after the exit). Hmpf. -- Kees Cook
Powered by blists - more mailing lists